[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] IDN security and ACE leakage

To: <idn@ops.ietf.org>, "Martin Duerst" <duerst@w3.org>
Subject: Re: [idn] IDN security and ACE leakage
From: "Soobok Lee" <lsb@postel.co.kr>
Date: Sun, 15 Jul 2001 13:11:09 +0900

DUDE and AMC-ACE-Z (not RACE,ACE37) already  avoid 
using '0', 'o', '1', 'l'  in its base 32 encoding 
for security reasons. It is a nice feature. 
 
----- Original Message ----- 
From: "Martin Duerst" <duerst@w3.org>
To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
Sent: Sunday, July 15, 2001 12:54 PM
Subject: Re: [idn] IDN security and ACE leakage


> 'l' and '1' and 'I' ('ell' and 'one' and 'upper-case i') are
> almost indistinguishable. For security reasons, DNS-capable email
> programs (i.e. every email program) may display an email
> address using hexadecimal (ACE won't work).
> 
> How many programs actually do this?
> 
> Regards,   Martin.
> 
> At 12:16 01/07/15 +0900, Soobok Lee wrote:
> >Latin 'o' and Greek 'o'  are almost indistinguishable ,
> >(and I can list up hundreds of such examples.)
> >but their ACE labels  often look very different.
> >
> >For security reasons, IDN-capable email programs
> >may display an IDN email address
> >  both in its original scripts and in its ACEed form
> >  to encourage  instant verification  like this:
> >"FullName <i18n-mbox@i18n-hostname.com>" [qq--xxx@bq--yyy.com]
> >
> >It's more secure but looks ugly. shorter ACE labels may help.
> >ACE labels are better than appended hexadecimal dump of utf8 lables
> >for this purpose.
> >
> >Soobok Lee
>

Prev by Date: Re: [idn] IDN security and ACE leakage
Next by Date: Re: [idn] proposals and deadlines
Prev by thread: Re: [idn] IDN security and ACE leakage
Next by thread: Re: [idn] IDN security and ACE leakage
Index(es):
- Date
- Thread